From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-003

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

			     BASH PATCH REPORT
			     =================

Bash-Release:	4.4
Patch-ID:	bash44-003

Bug-Reported-by:	op7ic \x00 <op7ica@gmail.com>
Bug-Reference-ID:	<CAFHyJTopWC5Jx+U7WcvxSZKu+KrqSf+_3sHPiRWo=VzXSiPq=w@mail.gmail.com>
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2016-11/msg00005.html

Bug-Description:

Specially-crafted input, in this case an incomplete pathname expansion
bracket expression containing an invalid collating symbol, can cause the
shell to crash.

Patch (apply with `patch -p0'):

*** a/bash-4.4/lib/glob/sm_loop.c	2016-04-10 11:23:21.000000000 -0400
--- b/lib/glob/sm_loop.c	2016-11-02 14:03:34.000000000 -0400
***************
*** 331,334 ****
--- 331,340 ----
      if (p[pc] == L('.') && p[pc+1] == L(']'))
        break;
+    if (p[pc] == 0)
+     {
+       if (vp)
+ 	*vp = INVALID;
+       return (p + pc);
+     }
     val = COLLSYM (p, pc);
     if (vp)
***************
*** 484,487 ****
--- 490,496 ----
        c = FOLD (c);
  
+       if (c == L('\0'))
+ 	return ((test == L('[')) ? savep : (CHAR *)0);
+ 
        if ((flags & FNM_PATHNAME) && c == L('/'))
  	/* [/] can never match when matching a pathname.  */
*** a/bash-4.4/patchlevel.h	2016-06-22 14:51:03.000000000 -0400
--- b/patchlevel.h	2016-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 2
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 3
  
  #endif /* _PATCHLEVEL_H_ */
